#1 Setup WordPress properly Use
unique keys and salts to add random elements for encryption! Use a cryptic prefix to prevent automated scripts and SQL injections. $table_prefix = ‘wp_VzQCxSJv7uL_ ‘; https://api.wordpress.org/secret-key/1.1/salt/
#2 Protect your wp-config.php <files
wp-config.php> order deny,allow deny from all This needs to go into your WP roots’ </files> .htaccess file to prevent external access Did you know this? Event better… move wp-config.php outside of „www“.
#3 Remove the default „admin“
Setup new user as admin; logout. Login w/ new admin; delete old one. Make sure to use a STRONG password, pleeaaasssseeee! http://www.random.org/passwords/
If you are REALLY curious…
http://ottodestruct.com/decoder.php http://www.tareeinternet.com/scripts/byterun.php http://www.tareeinternet.com/scripts/decrypt.php http://rot13-encoder-decoder.waraxe.us/ The PHP code isn’t “really” encrypted, rather kind of obfuscated. Reversing is possible!
#7 Update your blogs regularly!
WP Updates Notifier to get emails on out-dated components (core, themes & plug-ins) for all blogs: – http://wordpress.org/extend/plugins /wp-updates-notifier/ ManageWP can do one-click mass updates (core, themes, plug-ins again) for all your blogs: – http://managewp.com/features
#10 Harden your Security Settings
Secure WordPress Most important: Remove version number from ALL components & block malicious URL requests. http://wordpress.org/extend/plugins/secure-wordpress/
#11 Protect wp-admin Recommended: Try
the “Lockdown WP Admin” plug-in to protect PHP files in wp-admin as well as the login itself. Put an .htaccess to your /wp-admin/ for basic passwd. protection. http://wordpress.org/extend/plugins/lockdown-wp-admin/
#12 Fix File & Folder
Permissions WP-Security Scan Very important: chmod your wp-config.php to be read-only! http://wordpress.org/extend/plugins/wp-security-scan/
#13 Move the “wp-content” folderdefine(WP_CONTENT_DIR,
$_SERVER[DOCUMENT_ROOT]./blog/my-wp-content); WP_CONTENT_DIR points to “new” the full local path (no trailing slash)define(WP_CONTENT_URL, http://domain.com/blog/my-wp-content); WP_CONTENT_URL points to “new” full URI (no trailing slash either)
#14 SSL Logins & Administrationdefine(FORCE_SSL_LOGIN,
true); Set FORCE_SSL_LOGIN to “true” to force all logins to happen over SSL. (still allows non-SSL admin sessions)define(FORCE_SSL_ADMIN, true); Use FORCE_SSL_ADMIN to force all logins and all admin sessions to happen over SSL (can be slow…)
Don’t forget to tweak your
robots.txt We don‘t want some WPUser-Agent: * specific files & foldersDisallow: /wp-admin/Disallow: /feed/Disallow: /comments/feed/Disallow: /*/trackback/$Disallow: /*/feed/$Disallow: /*.css$ Adjust according to yourDisallow: /*.js$Disallow: /r/ Link Cloaker settings. 49
#34 Watch out for Errors
Knowledge is power Use a 404 logger – Analytics software – Redirection (built-in) – Webserver logs Setup 301 redirects accordingly using “Redirection”, again. Image-Credits: http://gdig.de/i
Tip: Make images even smaller!
Use tinyPNG to optimize PNG files without loosing in quality (up to 70% savings)JPEGmini does the same for JPEGfiles and will reduce your images massively (up to 80% smaller)! http://tinypng.org/ & http://www.jpegmini.com/
#38 Combine multiple CSS files